Skip to content
feed: live
>_ 0dayNews
threat intel
● Breaking

UAT-11795 hides Starland RAT in trojanized installers

Cisco Talos names UAT-11795 — a financially motivated Russian actor pushing Starland RAT and bespoke WLDR C2 via trojanized WebEx, Zoom, MobaXterm installers.

UAT-11795 hides Starland RAT in trojanized installers
Image: 0dayNews / 0dayNews Editorial · All rights reserved
airgap airgap · Published · 4 min read

Confirmed: Cisco Talos published today, 2026-07-16, a writeup of UAT-11795, a financially motivated actor running trojanized copies of five widely-installed dev and collaboration tools — MobaXterm, WebEx, Zoom, DBeaver, FaceIT — as first-stage carriers for a previously undocumented backdoor (Starland RAT) and a bespoke PowerShell C2 implant (WLDR). Talos says the campaign has been “active since at least June 2025” — approximately thirteen months in the open. Confidence on the mechanics, the tooling, and the campaign window below: as-reported by Talos.

Attribution to a Russian-language operator rests on “Russian-language developer comment[s]” in the campaign’s VBScript stagers. Talos does not state a formal confidence level on the attribution, and does not tie UAT-11795 to any named cluster. Treat the “Russian” label as as-reported by Talos, on developer-comment evidence — not as government-of-Russia attribution.

Targeting and window

  • Since at least June 2025, per Talos.
  • Predominant target: United States. Secondary: Germany, Romania, Venezuela.
  • Industry breakdown: not stated.
  • Victim count: not disclosed.

That the campaign has run thirteen months without a named public writeup before today is the operational point. The tooling below explains part of why.

The delivery chain

Not the installer download. The installer download is the second stage. Talos’s chain, as-reported:

  1. HTA file on a staging domain retrieves an NSIS installer.
  2. The NSIS installer is a trojanized copy of the target application — MobaXterm 26.1, WebEx, Zoom, DBeaver CE, or the FaceIT gaming launcher. A Python loader disguised as LICENSE.txt ships inside the installer.
  3. The loader writes registry persistence, decrypts, and loads Starland RAT into memory.
  4. Starland decides between two shellcode payloads: 64-bit → CastleStealer, or 32-bit → Remcos RAT.

Staging domains named by Talos: eorthopaedics[.]com, sastoro[.]com, web-devtools[.]com, zynaris[.]io. Distribution mechanism is not confirmed in the published writeup; Talos notes ClickFix-style social engineering as one plausible route, consistent with today’s separate ClickLock macOS ClickFix disclosure, but does not commit to it — unconfirmed — treat accordingly.

For the class of infrastructure: this is the same “seed a network of lookalike/staging domains and serve trojanized copies of installer-grade software” pattern Infoblox documented against Lurking Lizard’s fake 7-Zip and WireVPN pushers earlier this month. Different actor, different payload, same distribution shape.

Starland RAT — what Talos observed

Novel implant, no prior public writeup. Per Talos, capabilities as-reported:

  • Sandbox detection. Hardcoded checks for the WDAGUtilityAccount username and for hostnames including Cuckoo and Any.Run — the same static tell-list every commodity stealer ships with, but present.
  • Zone.Identifier alternate data stream check. Reads the mark-of-the-web ADS before continuing execution. Analyst-station artifacts get flagged; a real user’s download does not.
  • Persistence on two paths. A scheduled task named PythonLauncher-{three random characters}, and an LNK shortcut in the Startup folder written via WScript.Shell.
  • AMSI and ETW bypasses in the shellcode stage.
  • Collection. Browser data, credentials for 40+ cryptocurrency wallets, system fingerprint (HWID, RAM, processor, OS, antivirus vendor), and Active Directory enumeration on the host’s domain if joined.
  • Operator functions. Screenshot capture, shell command execution, arbitrary shellcode injection, arbitrary payload download.

The AD enumeration is the tell. This is not a pure crypto-stealer wearing enterprise clothes; it is a stealer with the reach to walk to a domain controller if the operator wants it to. Whether they have wanted it to on any of the observed victims: not disclosed.

WLDR — the bespoke C2

Separate implant, PowerShell-based. Per Talos:

  • PBKDF2-SHA256 for its encryption layer.
  • Memory-only operations — no on-disk footprint for the C2 stage.
  • Hardware-ID binding — a session tied to one machine’s HWID, not portable to an analyst’s rebuild.

C2 domains, as-reported: windowscreenrepairnearme[.]com and aipythondevs[.]com as primary Starland C2, with polygon-rpc[.]com as a blockchain-based fallback — an on-chain retrieval mechanism that survives takedown of the HTTPS C2 pair. That fallback is the reason a network-level block on the two primary domains is not a full eviction. Same pattern surfaced this year in multiple stealer families using on-chain C2 recovery — Starland is the newest example, not the first.

What is not confirmed

  • Attribution beyond “Russian-language developer comments.” No confidence level; no named cluster; no state alignment claim. Treat accordingly.
  • Victim count and industry mix. Not stated.
  • Whether the two secondary payloads (CastleStealer, Remcos) are the full set or whether Talos has held back a longer list. Unconfirmed.
  • Distribution mechanism. ClickFix speculated, not committed. Unconfirmed.
  • File hashes and full IOCs. Talos points at its GitHub IOC repository for the indicator dump; this piece does not reproduce hashes.

What this argues on the defensive side

  • Watch the download source, not just the file. All five trojanized installers are legitimate applications — a hash comparison against the vendor’s canonical release will separate them, but only if the analyst knows the canonical hash. Blocking downloads by source domain (not by application name) closes more of this shape than post-execution EDR does.
  • PythonLauncher-* scheduled tasks and Startup-folder LNK shortcuts writing PowerShell. Neither is exotic; both are still under-alerted in commodity SOC baselines. If Starland is in the environment, both signals fire.
  • Egress to polygon-rpc[.]com from a workstation is not a developer signal. On a build-engineer or blockchain-team box it may be legitimate; on a general-user endpoint it is a candidate C2 fallback. Alert on the class of destination, not the specific domain — the blockchain-fallback pattern will keep rotating.
  • WDAGUtilityAccount and Cuckoo/Any.Run as hostnames are still viable analyst tells — set analyst VMs to real-looking hostnames and non-sandbox usernames, or Starland (and everything else with the same static list) will simply not detonate.

Track further Talos-attributed campaigns and threat-actor writeups at /topics/threat-intel/.

Sources

Confidence on the tooling and TTPs above: as-reported by Cisco Talos. Attribution: as-reported, on developer-comment evidence — no named cluster, no state alignment claim. Distribution mechanism and full victim scope: unconfirmed — treat accordingly.

Found this useful? Share it.